From parents and guardians: Email address, display name, and a PIN you choose to protect the parent dashboard. This information is required to create and manage your account.
From children (with parental consent): First name, age range (3โ4, 5โ7, or 8โ12), conversation transcripts (text only), and lesson progress. We do not collect full names, addresses, phone numbers, or location data from children.
Voice and audio: Voice audio is processed in real time for speech recognition and is NOT stored. Only text transcripts of conversations are saved.
Usage data: Session length, features used, and streak data โ used to improve the product. Not sold or shared with advertisers.
We do not use your data for behavioral advertising. We do not sell your data to any third party.
PocketPals is built for children under 13 and is fully compliant with the Children's Online Privacy Protection Act (COPPA). We do not collect personal information from children without verifiable parental consent. The parent creates the account and consents on behalf of the child during onboarding.
For full details on how we comply with COPPA, see our COPPA Compliance Notice.
To exercise any of these rights, email privacy@pocketpals.app or use Parent Settings within the app. We respond within 30 days.
We use the following third-party subprocessors to operate PocketPals. Each has signed a Data Processing Agreement (DPA) with us governing how they handle your data:
| Subprocessor | Purpose | Child data accessed |
|---|---|---|
| Anthropic, PBC | Buddy LLM responses (Claude) | Yes โ conversation text. Anthropic does not train on PocketPals data. |
| OpenAI, LLC | Speech-to-text (Whisper STT) | Yes โ child voice audio chunks, immediately discarded post-transcription |
| ElevenLabs, Inc. | Buddy voice synthesis (TTS) | Indirect โ Buddy reply text only, no child voice input sent |
| Supabase, Inc. | Database, auth, storage (us-east-1) | Yes โ child profile, transcripts, memory facts |
| Vercel, Inc. | Application hosting, edge compute | In transit only โ transient request data |
| Stripe, Inc. | Web pathway parent payment + COPPA verification | No child data โ parent billing only |
| RevenueCat, Inc. | Native pathway subscription management | No child data โ parent subscription state only |
| Apple Inc. | iOS in-app billing | No child data โ parent App Store account only |
| Google LLC | Android in-app billing | No child data โ parent Play Store account only |
| Resend | Transactional email (parents) | Indirect โ parent email + child first name in digest only |
| PostHog Inc. | Product analytics | Yes โ UUID + event names only. Never first names or transcripts. |
| Sentry, Inc. | Error monitoring | Indirect โ scrubbed payloads only, no child PII |
| Clerk, Inc. | Operator surface authentication | No child data at launch โ ops surface only |
| Inngest, Inc. | Background job processing | Yes โ UUIDs and operation types only |
| Doppler, Inc. | Secrets management | No user data |
| Cloudflare, Inc. | DNS, edge security | In transit only |
We do not share your child's data with any third party for advertising, marketing, or analytics outside of the subprocessors listed above.
Voice transcripts are retained for 90 days, then converted to summaries. Summaries are retained while the account is active plus 30 days. Moderation and safety events are retained for 24 months. Parental consent records are retained for 7 years. Audit logs are retained indefinitely. Upon account deletion (by the parent or by inactivity), all child data is deleted within 30 days and you will receive a confirmation email.
| Data type | Retention period |
|---|---|
| Voice transcripts | 90 days, then summary-only |
| Conversation summaries | While account active + 30 days |
| Moderation & safety events | 24 months |
| Parental consent records | 7 years |
| Audit logs | Indefinite |
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Parent PINs are hashed using bcrypt. Our database uses row-level security โ your child's data is only accessible to your account. We conduct periodic security reviews.
California residents have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information. We do not sell personal information. Contact us at privacy@pocketpals.app to exercise your rights.
Parents in the EU and UK have rights to access, rectification, erasure, portability, restriction, and objection. We respond within 30 days. Contact: privacy@pocketpals.app.
Questions about this privacy policy or your data?
NuStack Digital Ventures LLC ยท Wyoming ยท We respond within 30 days.
Privacy Policy v3 โ 2026-04-25 ยท NuStack Digital Ventures LLC ยท Wyoming